CVE-2026-27646
Published: 23 March 2026
Summary
CVE-2026-27646 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 2.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent authorized sandboxed sessions from bypassing restrictions via the /acp spawn command to initialize host-side ACP runtime.
Applies least privilege to restrict low-privileged sandboxed sessions from performing unauthorized host-side ACP session initialization.
Implements process isolation to prevent sandboxed processes from escaping and accessing or initializing host-side resources.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape via incorrect authorization in /acp spawn directly enables breaking out to host runtime (T1611) and is exploited for privilege escalation from restricted context (T1068).
NVD Description
OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypass sandbox restrictions by invoking the /acp spawn slash-command to cross from sandboxed…
more
chat context into host-side ACP session initialization when ACP is enabled.
Deeper analysisAI
OpenClaw versions prior to 2026.3.7 are affected by CVE-2026-27646, a sandbox escape vulnerability in the /acp spawn command. This flaw allows authorized sandboxed sessions to initialize host-side ACP runtime when ACP is enabled, enabling attackers to bypass sandbox restrictions by invoking the /acp spawn slash-command to transition from a sandboxed chat context into host-side ACP session initialization. The vulnerability is associated with CWE-863 (Incorrect Authorization) and carries a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), indicating medium severity with local access requirements, low complexity, and low privileges needed.
An attacker with low privileges (PR:L) in an authorized sandboxed session can exploit this vulnerability locally without user interaction. By issuing the /acp spawn command, they achieve a sandbox escape, gaining the ability to initialize host-side ACP runtime. This results in low impact to confidentiality (C:L), high impact to integrity (I:H) through unauthorized execution outside the sandbox, and no impact to availability (A:N), potentially allowing further compromise of the host environment.
Mitigation is addressed in OpenClaw version 2026.3.7 and later, as evidenced by the referenced GitHub commit (61000b8e4ded919ca1a825d4700db4cb3fdc56e3) that likely implements the fix. Security advisories from GitHub (GHSA-9q36-67vc-rrwg) and Vulncheck provide additional details on the issue and recommend updating to patched versions to prevent exploitation.
Details
- CWE(s)